User-controlled privacy through self-sovereign identity

More and more, we conduct business online and through one or several digital identities, ranging from credentials issued from a single organization to a reusable, verified electronic identity. In a research report we conducted 72% of consumers interviewed wanted a digital-only onboarding process for new financial services. Coinciding with this however, we find consumers becoming more privacy-conscious and there’s a growing trend towards having consumers “owning” and controlling their data.

We refer to this as Self-Sovereign Identity (SSI). SSI is a rather new concept, and there is no consensus on the exact definition. There is agreement that the user should be in control of their own identity data, but there is disagreement as to how this can be achieved.

This article will look at how to achieve this, using identity custodians.

Is blockchain the answer?

In a word, no. Blockchain technology offers the world a number of exciting opportunities to innovate and to solve problems in ways that haven’t been considered previously. However as a framework for creating a digital identity, blockchain has a few critical flaws that need to be addressed.

Most obviously, users are notorious for losing passwords and requiring assistance with resetting their accounts. In a blockchain world, digital identities cannot be recovered and it is the sole responsibility of the user to keep track of their login credentials. After all, by some reports there are over $20bn worth of bitcoins that are lost because the retrieval codes have gone missing.

In addition, the blockchain solutions typically put the information on the users’ own devices, encrypted, under the sole control of the user. Which is good until you lose the device, in which case there is no recovery mechanisms, as this would violate the thought of the user’s sole control.

As if that is not enough, who is liable in case of a breach? And who do you call if you have a problem? The idea behind blockchain is that there is no central authority and no ownership. Which also means no liability for the infrastructure.

As human beings, we are used to always being able to have somebody to call if there is a problem. Everybody has used the “I forgot my password” function multiple times. Most of us at some point have called a locksmith to get us into our car or house, because we have lost the key. Remember that with modern cryptography, there is no backdoor. There is nobody to call if you lose the key.

Finally, do users really want to manage their own data? And if so, can we trust them to do this. Digital identity is something which should be available and work, nothing that the end users should need to worry about.

If blockchain isn’t the answer, what is?

Enter the Identity Custodian

An Identity Custodian manages the identity infrastructure and assists users in managing and retrieving their data. An identity custodian will manage the user’s data on behalf of each user, very much in the same way banks manage the user’s money on their behalf, which few people seem to question.

This will have the following benefits for the user:

Somebody to call when there is a problem.

Somebody who is liable if there is any kind of problem.

Somebody who is managing the electronic identity.

As a user, I will choose an identity custodian I trust. I will be able to change to a different custodian when needed.

What is an anonymous self-sovereign identity?

Another advantage to taking this approach is the ability to offer a mostly anonymous digital persona that is tied to a verified identity. We are beginning to experiment with this in the Nordics.

Occasionally users want to be anonymous in certain online interactions, such as discussion groups or online communities. With Anonymous Self-Sovereign Identity, these users can remain anonymous, but their real identity can be discovered using a court order or similar.

Additionally, the anonymous-SSI will also prevent users from going back into a forum (where they have been expelled) with a new alias.

Who should be Identity Custodians?

As part of our Battle to On-Board research, we discovered that in most markets consumers have the most trust for banks to hold their digital identities (when compared to governments, specialist companies, and social media platforms).

This coincides with the most effective electronic identities in the market. These are found in the Nordics and are consistently driven by banks. Banks’ main business is trust. They are trusted with our money. In these days of PSD2, the banks risk being reduced to “plumbing”, and could use the opportunity to step up, and be recognized as trust service providers.

Benefits to banks

Consumer trust. With consumer data for sale from many online organizations, and through shoddy security and data breaches, consumer trust is low. Enabling consumers to work with businesses through a SSI means that digital trust can begin to be rebuilt.

Enhanced services and offerings. Finally, with a verified self-sovereign identity, organizations can begin to offer services that protect the privacy of their users online, or Anonymous Self-Sovereign Identity.

In conclusion

Banks face a unique opportunity in today’s evolving digital identity landscape. As witnessed by the success of the digital identities from the Nordics, there is a model for banks to increase their involvement in digital transactions and build improved consumer trust, while supporting consumers desire for both privacy and ease of use.